The Reserve Bank of India (RBI) has introduced a draft set of norms concerning the data governance system for regulated entities (REs), such as commercial banks and Non-Banking Financial Companies (NBFCs). These norms emphasize the necessity of ensuring data accuracy, consistency, confidentiality, integrity, and traceability across all systems and business functions.
Context and Objectives of Implementation
The presentation of the draft norms comes against the backdrop of preparations for implementing the Expected Credit Loss (ECL) system for loan loss provisioning, which is scheduled for April 1, 2027. Banks must strengthen their data infrastructure to successfully implement this ECL system.
According to the draft norms, the rapid growth of digital financial services, interconnected technological ecosystems, third-party agreements, advanced analytics, and automated decision-making processes has significantly increased the volume, speed, and complexity of data generated, processed, transmitted, and stored by regulated entities.
Requirements for Data Governance System
The norms stipulate that regulated entities must implement a Data Governance Framework (DGF) applicable to all data and align it with their risk management system. Furthermore, the system must be proportionate to the organization's size, complexity, business model, and IT and Information Security (IS) setup.
The DGF must be comprehensive, covering all aspects including organizational structure, policies and processes, risk management (including data privacy and security), technological infrastructure, and audit mechanisms throughout the entire data lifecycle.
Regulatory Compliance and Third-Party Engagement
Additionally, the system must comply with the Digital Personal Data Protection Act (DPDP) 2023, the DPDP Rules 2025, and all other applicable laws and regulations. The draft mandates that the DGF must be reviewed annually or more frequently if required.
Regarding collaboration with third parties, the RBI has stipulated that regulated entities remain responsible for managing the data they share with third parties, including affiliated groups. Data can only be transferred to third parties for pre-defined and approved purposes and to designated personnel.
REs must establish systems and control mechanisms for accessing, using, and deleting data shared with third parties, taking into account data classification, its sensitivity, and, crucially, customer consent in the case of customer data. The norms require REs to ensure the traceability of data shared with third parties back to a designated Single Source of Truth (SSOT), and to record metadata and provenance of such exchange. Data exchange that leads to unauthorized reuse, transfer, or duplication is also prohibited.
Role of Management and Functional Responsibilities
The draft norms establish that the board of directors of the bank or NBFC must oversee the data governance system and review the reports and metrics presented to them. Regulated entities must establish a Data Governance Committee (DGC) at the board level or delegate this responsibility to an existing board committee.
This committee will monitor the implementation of the DGF. It must develop data governance policies covering scope, data architecture, data risk management, data ownership, accountability, and responsibility for data throughout its lifecycle, data quality management, data classification framework, and third-party agreements.
Moreover, regulated entities must integrate data risk management processes into the overall risk management system. When defining roles and responsibilities, the norms require the creation of a Data Function, headed by an officer at the level of Chief General Manager or equivalent, possessing sufficient authority, competence, and skills to implement the DGF.
The Data Function must develop metrics to monitor the effectiveness of the DGF. It should act as the central coordination point to ensure uniform interpretation and application of the DGF and related policies across all business, risk, technology, and other relevant functions.
A Data Owner must also be appointed for each data domain, who is responsible for ensuring that data in that domain is defined, classified, and used in accordance with the DGF. Furthermore, a Data Custodian must be appointed, responsible for ensuring access control and user rights in line with data classification and approved usage.
Finally, the draft norms suggest that REs create data quality management processes corresponding to the criticality, sensitivity, and classification of the data, and guarantee that the data is fit for its intended use by timely identifying and resolving significant issues.



